MSFT_TeamsAppPermissionPolicy cannot be deployed using an app registration with certificate

[heizkoerperchen]

Description of the issue

When trying to deploy a TeamsAppPermissionPolicy I'm getting no error, but the AppPermissionPolicy is neither created nor updated. When I try to change/create the policy manually through Microsoft Teams Powershell module I get the following error:

Set-CsTeamsAppPermissionPolicy : The App Id(s) specified could not be validated from the App Catalog. Please refer to documentation. CorrelationId: d62657c6-0734-4ae7-ae9b-4ba260dd7c28
At line:1 char:1

• Set-CsTeamsAppPermissionPolicy -Identity "EHD Chat" -DefaultCatalogAp ...

•   + CategoryInfo          : NotSpecified: (:) [Set-CsTeamsAppPermissionPolicy], PolicyRpException
    + FullyQualifiedErrorId : ClientError,Microsoft.Teams.Policy.Administration.Cmdlets.Core.SetTeamsAppPermissionPolicyCmdlet
  
  

When I try the same with my personal account it's working. All necessary API permissions are present at the app registration, so I think it is not supported to create/update AppPermissionPolicies using an application?

Microsoft 365 DSC Version

V1.23.1108.1

Which workloads are affected

Teams

The DSC configuration

TeamsAppPermissionPolicy "TeamsAppPermissionPolicy-EHD Chat"
    {
        ApplicationId          = $ApplicationId;
        CertificateThumbprint  = $Thumbprint;
        DefaultCatalogApps     = @("0ae35b36-0fd7-422e-805b-d53af1579093","0d820ecd-def2-4297-adad-78056cde7c78","1c4340de-2a85-40e5-8eb0-4f295368978b","26bc2873-6023-480c-a11b-76b66605ce8c","2a527703-1f6f-4559-a332-d8a7d288cd88","44263ed4-f1ac-4e96-93aa-d24dd50459ea","com.microsoft.teamspace.tab.file.staticviewer.visio","com.microsoft.teamspace.tab.planner","com.microsoft.teamspace.tab.vsts","com.microsoft.teamspace.tab.web","d832a33f-28c2-4969-8ad0-4fee681dc5b4","db5e5970-212f-477f-a3fc-2227dc7782bf","95de633a-083e-42f5-b444-a4295d8e9314");
        DefaultCatalogAppsType = "AllowedAppList";
        Ensure                 = "Present";
        GlobalCatalogApps      = "8562f79a-0ba8-4555-a967-6e34bdfecca9";
        GlobalCatalogAppsType  = "AllowedAppList";
        Identity               = "EHD Chat";
        PrivateCatalogApps     = @("dd7a7127-c5cb-44d8-a0b4-c43bde6edf18","fe501ee0-510b-49a6-a7f2-9cea2317578c","38ae0174-8a9a-4e49-9d35-1aa578e21c0b","3a26dd78-82b0-4d7b-a1c3-2424051672ac","8f8bdd08-671a-41ff-af3e-30095701ac53");
        PrivateCatalogAppsType = "AllowedAppList";
        TenantId               = $TenantId;
    }

Verbose logs showing the problem

No response

Environment Information + PowerShell Version

No response

[andikrueger]

Please make sure to grant the Teams Admin App to your application: https://learn.microsoft.com/en-us/microsoftteams/teams-powershell-application-authentication#setup-application-based-authentication

[heizkoerperchen]

@andikrueger Of course the app reg has also the Teams admin role assigned and all the required API permissions:

If I try to create an AppPermissionPolicy directly through the PS cmdlet signed in with the service principal using certificate I get the following error:

If I do the exact same with my admin account I'm able to create it:

[ricmestre]

I have the same issue but with TeamsAppSetupPolicy, see #4258, according to https://learn.microsoft.com/en-us/microsoftteams/teams-powershell-application-authentication only the cmdlets below won't work but it seems this isn't true.

New-Team
[Get|Set|New|Sync]-CsOnlineApplicationInstance
PolicyPackage
-CsTeamsShiftsConnection
-CsBatchTeamsDeployment
[Get|Set]-CsTeamsSettingsCustomApp
Get-MultiGeoRegion

[andikrueger]

Just found some further concerning information in this article: https://github.com/MicrosoftDocs/office-docs-powershell/blob/main/skype/skype-ps/skype/New-CsTeamsAppPermissionPolicy.md#synopsis

The existence of this cmdlet is being documented for completeness, but do not use this cmdlet.

A further thought as I was browsing through the current API permissions of this resource: the resource does not use the graph cmdLets. In my opinion we should be good with the teams admin role. All graph api permissions should not be needed for this resource.

[andikrueger]

Anyways, this still does not explain, why this resource can be used with a user principal but not with a service principal. I remember that we do have an open issue about this kind of problem, but can’t find it right now.

[andikrueger]

Just found it: #3394

[ricmestre]

@andikrueger, yeah but TeamsOrgWideAppSettings calls [Get|Set]-CsTeamsSettingsCustomApp which falls under that table of cmdlets that are known to not work with app registration, but these other 2 resources don't call any of those cmdlets so the info on that website is wrong.

[andikrueger]

Yes. I just was just about to add some context than I think, the root cause for this issue here would also be the underlying functionality not supporting app credentials. Either the docs are wrong or the powershell module is broken.

[FabienTschanz]

This should work by now. Closing the issue.